This is an update on my preliminary implementation of support for tainted variables in PHP. To get more feedback from developers with Windows systems, I have built Win32 binaries. These are available in ZIP and Windows installer format from http://wiki.php.net/rfc/taint/ and are compatible with the binaries from http://www.apache.org/
As a reminder, the goal of this project is to help PHP application programmers find and eliminate opportunities for HTML code injection (i.e. XSS), SQL or shell code injection, or PHP control hijacking, before other people can exploit them. With 1% run-time overhead, taint support may also be used as a safety net in production. The preliminary implementation provides taint support for basic operators, for a selection of built-functions and extensions (pcre, mysql, mysqli), and for the Apache server APIs. For source, binaries and more please see http://wiki.php.net/rfc/taint/ Wietse -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
